Attacks show internal IP

  • Resolved rzqu

    (@rzqu)


    6 years, 8 months ago

    Hello,

    Im running the free version of Wordfence on a CentOS7 linux server running my wordpress website (which is behind a firewall)

    On all the emails i get letting me know about the increased attack rates or Top 10 IP’s that are trying to attack my webserver they all show the inside interface IP address of my firewall and not the external IP address’s that are trying to attack.

    Any ideas?

    Thanks.

Viewing 7 replies - 1 through 7 (of 7 total)
  • WFGerroald

    (@wfgerald)

    6 years, 8 months ago

    Hey @rzqu,

    How do you have How Does Wordfence Get IPs set? Can you try adjusting it until you see your IP and let me know if it helps?

    https://www.wordfence.com/help/dashboard/options/

    Thanks,

    Gerroald

    Thread Starter rzqu

    (@rzqu)

    6 years, 8 months ago

    Hi @wfgerald

    Ive tried to amend that setting to use the other options but this hasnt changed anything. – it still shows my FW internal IP Address.

    All im doing on the FW is using a NAT to port forward the external request to our wordpress server which sits behind the FW.

    Thanks

    R.

    Thread Starter rzqu

    (@rzqu)

    6 years, 8 months ago

    Hey @wfgerald

    Any other ideas or things that i can try?

    switching out those options on How Does Wordfence Get IPs didnt work for me and still shows my internal FW interface ip.

    Thanks.

    WFGerroald

    (@wfgerald)

    6 years, 8 months ago

    Hey @rzqu,

    I believe you’re going to need to reach out to your host if adjusting the ways Wordfence gets IPs isn’t helping. For some reason, the site isn’t able to detect the correct IPs. This seems like it’s going to be a server/network configuration issue.

    Please let me know what they say.

    Thanks,

    Gerroald

    Thread Starter rzqu

    (@rzqu)

    6 years, 7 months ago

    Hi @wfgerald

    Apologies for the silence, its been a busy couple weeks.

    I am indeed the host of this system, im running an OPNSense Firewall and then using NAT to present my wordpress website to the outside world. Wordfence is of course running on my WordPress site. The WordPress website is running on a CentOS server which has an internal IP address connecting to the internal NIC of my FW.

    Wordfence is telling me that all my traffic and blocked attacks are coming from my Internal IP of my FW. – which does kinda make sense given the traffic is passed from the WAN of my FW to the LAN as part of Network Address Translation (NAT) but surely im not the only person in the world to have this kind of setup.. so i would of thought there would of been others having the same issue.

    I could always switch to a reverse proxy and then tag the original ip header but for now im using NAT.

    Pulling my hair out at this and of course getting false results too so any pointers would be appreciated.

    Thanks,

    R.

    Thread Starter rzqu

    (@rzqu)

    6 years, 7 months ago

    @wfdave

    Included you Dave incase you may be able to shed some light based off a previous post;

    https://wordpress.org/support/topic/external-ips-are-recognised-as-internal-private-ips/

    Thread Starter rzqu

    (@rzqu)

    6 years, 7 months ago

    Closing.

    • This reply was modified 6 years, 7 months ago by rzqu.
Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Attacks show internal IP’ is closed to new replies.